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Abstract —In this paper we investigate (in)security aspects of 
Automatic Dependent Surveillance-Broadcast (ADS-B) proto¬ 
col. ADS-B is intended to be widely deployed in Air Traffic 
Management (ATM) Surveillance systems by 2020. One of the 
goals of ADS-B is to increase safety of air traffic. While the 
security of ADS-B was previously questioned, in this paper 
we demonstrate that attacks are both easy and practically 
feasible, for a moderately sophisticated attacker. Attacks range 
from passive attacks (eavesdropping) to active attacks (message 
jamming, replaying of injection). 

The attacks have been implemented using an Universal Soft¬ 
ware Radio Peripheral (USRP), a widely available Software- 
Defined Radio (SDR), for which we developed an ADS-B 
receiver/transmitter chain with GNURadio. We then present 
and analyze the results of the implemented attacks tested 
against both USRP-based and commercial-off-the-self (COTS) 
radio-enthusiast receivers. Subsequently, we discuss the risks 
associated with the described attacks and their implication on 
safety of air-traffic, as well as possible solutions on short and 
long terms. Finally, we argue that ADS-B, which is planned 
for long-term use, lacks the minimal and necessary security 
mechanism to ensure necessary security of the air traffic. 

Key words -Architecture and Design Air Traffic Control, 
Air Traffic Management, Automatic Dependent Surveillance- 
Broadcast, ADS-B, message injection, message replay, wireless 
security, privacy. 

I. Introduction 

Automatic Dependent Surveillance-Broadcast (ADS-B) 
is an Air Traffic Management and Control (ATM/ATC) 
Surveillance system that is intended to replace traditional 
radar based systems and is expected to become an essential 
part of the Next Generation Air Transportation System 
(NextGen)-like systems. Figure 1 shows an envisioned by 
[4], and already partially deployed, architecture for the 
NextGen-like systems, along with ADS-B as part of it. 

The concept behind ADS-B is quite simple and can be 
summarized as follows: ADS-B avionics broadcast a plain 
text, unencrypted, error-code protected messages over radio 
transmission links, approximately once per second. Those 
messages contain the aircraft’s position, velocity, identifica¬ 
tion, and other ATC/ATM-related information. 

For the spatial position derivation, ADS-B is designed 
to use mainly GPS, though GPS is prone to GPS-derived 
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Figure 1. Envisioned NextGen airspace system with ADS-B and e-enabled 
aircrafts according to [4], 


attacks [53], [54], However, these GPS-oriented attacks are 
out of scope of this paper, Tippenhauer et al. provides more 
details on GPS spoofing in [32], On the other hand, GPS 
sensors used in ADS-B devices must comply with ADS- 
B requirements, specifically with RTCA/DO-229C TSO- 
C145a [24] (e.g. Garmin GDL 90 [59], Freeflight 120x [60] 
and others). Those standards specify the requirements for 
integrity checks on GPS signals, hence allowing ADS-B to 
withstand most GPS-related attacks. On top, [33] suggests 
inclusion of spatial accuracy parameters in ADS-B messages 
to enable GPS error computation by the receiver, while [34] 
proposes the use of Ground-Based Augmentation System 
(GBAS) to add resilience to unintentional or intentional GPS 
errors. 

ADS-B can be used for several purposes and has the 
following intended benefits : 

• increased safety of the air-traffic management and con¬ 
trol. It is intended to dramatically improve situational 
awareness of pilots, by providing them access to the 
same kind of real-time air-traffic information as ATC 
controllers. For example, will receive information from 
other aircrafts and information about weather and ter¬ 
rain. 






• improve air-traffic conflict detection and resolution. 
ADS-B will allow planes to know their relative posi¬ 
tions, without relying on an infrastructure. 

• optimize and compact the air-traffic. The traditional 
passive radar system has relatively low resolution. 
Moreover, with traditional radars, accuracy of the po¬ 
sition depends on the distance to the plane. Finally, 
radars usually are not able to provide altitude infor¬ 
mation. ADS-B has much better coordinates resolution 
and effective range of 100-200 nautical miles [18] 1 . 
Therefore, it is expected that ADS-B will allow for 
a much better use of airspace by allowing to reduce 
distance between planes, especially near busy airports. 

Surprisingly, despite years of standardization ([19] [20] 
[21] [22] [23]), development, thorough testing, and an 
ongoing deployment, by design ADS-B protocol used in 
commercial air-traffic doesn’t specify mechanisms to ensure 
that protocol messages are authentic, non-replayed or adhere 
to other security properties. 

In this paper, our main focus is to demonstrate the 
easiness, feasibility and practicality, compared to previous 
works which covered the theoretical aspects of insecurity 
in ADS-B. For this purpose we set up a practical, low-cost 
and moderately sophisticated attack against new-generation, 
high-cost and safety-critical ADS-B technology. Specifically, 
despite the fact that manual validation procedures exist [25] 
to partially mitigate the presented attacks, conducting such 
attacks in continuous and/or distributed fashion on the ATCs 
and aircrafts greatly increases the chances of human error. 
For example, under conditions of erroneous or uncertain 
data, the stress factor, associated with continuous erroneous 
messages on display of ATC and critical time response 
requirements, increases and affects the safety of the entire 
system. 

While completely unrelated to ADS-B, it was reported 
that the effect of erroneous data from wind speed sensors 
combined with stress factors have played an important role 
in Air France Flight 447 fatal crash[57]. This combination 
have practically nullified pilots’ basic flight knowledge and 
well-known recovery procedures, as the final report on the 
crash attests [58]: 

A crew can be faced with an unexpected situation 
leading to a momentary but profound loss of com¬ 
prehension. If, in this case, the supposed capacity 
for initial mastery and then diagnosis is lost, the 
safety model is then in “common failure mode”. 
During this event, the initial inability to master the 
flight path also made it impossible to understand 
the situation and to access the planned solution. 

The question that follows is: would malicious ADS-B 
messages be sufficient to confuse pilots, or air traffic control 
personnel, and lead to dangerous maneuvers? 

'Approximately 180-370 km. 


Organization 

The rest of this paper is organized as follows: in Section II 
background and basic details of ADS-B are introduced; then, 
in Section III we present the main security problems and 
security models associated with ADS-B. Subsequently, in 
Section IV we present our setup and used methodology to 
practically demonstrate problems from Section III; Section V 
discusses prior work, along with our new findings, prospects 
for future research and covers existing proposed solutions as 
well as presents potential solutions and mitigations resulted 
from our research; finally. Section VI concludes the paper. 

II. Background 

A. SSR, Transponders and Transponder Modes 

Before introducing ADS-B, we define some additional 
terms and technologies to provide a better understanding of 
the field. Primary Surveillance Radars (PSR) are radars that 
detect presence of planes via the reflection of radio waves by 
the planes. Currently, one of the main ways to keep track of 
aircrafts and flights is by means of Secondary Surveillance 
Radars (SSR). A SSR detects and measures the position 
of aircrafts, as well as requests additional information from 
the aircrafts. SSR does so by relying on radar transponders 
installed on aircrafts. Transponders (transmitter-responders), 
receive requests and transmit replies in so called interro¬ 
gation modes. Initially, for civilian/commercial traffic there 
was Mode-A and Mode-C, whereas Mode-S is an enhanced 
mode which provides multiple information formats to a 
selective (hence S) interrogation. Every aircraft is assigned 
a fixed 24-bit ICAO address. 

In this context, technology-wise ADS-B is an upgrade to 
SSR, which is expected to be faded-out and give place to 
ADS-B as main technology, whereas data-wise ADS-B is an 
extension of Mode-S. 

B. ADS-B Overview 

At the physical medium level, ADS-B operates at two 
radio frequencies: 1030 MHz for the active interrogation, 
for example from ATC towers, radars or other aircrafts, and 
1090 MHz for the active response or normal broadcasts, 
for example from aircrafts or less commonly from airport 
vehicles. For interoperability, regulatory and legacy pur¬ 
poses, ADS-B is being supported by two different data links, 
specifically 1090 MHz Extended Squitter (1090ES) and Uni¬ 
versal Access Transceiver (UAT). As part of NextGen ATM 
systems, ADS-B is being co-developed and co-deployed 
with Flight Information Services-Broadcast (FIS-B) and 
Traffic Information Service-Broadcast (TIS-B). Both FIS-B 
and TIS-B may be susceptible to similar attacks as those 
described in this paper. However, such protocols are used 
for less critical information, we therefore did not investigate 
actual attacks feasibility, which we leave for future work. 



In terms of active response and normal broadcasts, the 
roles of an entity in the ADS-B architecture can be ei¬ 
ther broadcast transmitter, referred to as ADS-B OUT, or 
broadcast receiver, referred to as ADS-B IN. Currently, most 
aircrafts are designated broadcast transmitters and equipped 
with ADS-B OUT technology. Therefore, theit role in ADS- 
B is to broadcast their position for further analysis and 
aggregation at ATC towers and ATM stations. 

However, since one of the most advertised benefits of 
ADS-B is the aircraft pilot’s ability to have superior situa¬ 
tional awareness, ADS-B IN technology, which is currently 
deployed mainly in ATC towers, is being deployed and 
undergoes testing in aircrafts. According to [55], SWISS is 
pioneering use of ADS-B IN in Europe and is one of only 
five airlines around the world to participate in the airborne 
traffic situational awareness (ATSAW) project. ADS-B IN 
is supposed to enable ATSAW, spacing, separation and self¬ 
separation applications. However, from a security point of 
view, ADS-B IN in aircrafts raises a new set of challenges. 
For example, reliably verifying online 2 and in real-time the 
validity of identity, position and flight-paths from a received 
broadcast. While this scenario is manageable in a ground 
ATC station, where high-speed connectivity is not an issue, 
it is more difficult to perform in an aircraft. 

At the data-link level, the ADS-B protocol is encapsulated 
in Mode-S frames. As such, ADS-B uses pulse-position- 
modulation (PPM) and the replies/broadcasts are encoded 
by a certain number of pulses, each pulse being 1 /js long. 
Therefore, ADS-B has a data rate of 1 Mbit/sec. The 
reply/broadcast frames consist of a preamble and a data- 
block. The preamble, of 8/is long, is used to synchronize 
the transmitters and receivers, it consists of four pulses with 
a length of 0.5/is per pulse, with interspaces (to the first 
pulse) of 1, 3.5 and 4.5/xs respectively. It is unspecified 
whether collision detection (CD) or collision avoidance (CA) 
on the medium-access level exists for the ADS-B protocol. 
Data-blocks are either 56 bit or 112 bit long and are 
used to encode various downlink format (DF) messages. 
For the purpose of this paper, the most interesting DFs 
are DF11 (Mode S Only All-Call Reply) and DF17 (1090 
Extended Squitter). The secure Mode-S/ADS-B mode, used 
in military, is encoded in DF19 (Military Extended Squitter), 
lightly covered by [27], in DF22 (Military use only), covered 
by [28], [29], [30], [31], and in Mode-5 crypto/secure mode, 
which uses enhanced cryptography based on time-of-day 
information and direct sequence spread spectrum modulation 
as specified in NATO STANAG 4193 and ICAO Annex 
10. To the best of our knowledge the exact specifications 
of DF19, DF22, Mode-5 crypto/secure-more are not public 
as of time of writing .Figure 2 shows an example ADS-B 
message with the PPM modulation of an ADS-B encoded 
short frame (56 bits). 

2 To check different data sources such as flights plans. 


On the non technical side though, upgrade to ADS-B 
technology assumes massive investments in both time and 
money. According to [17], FAA (USA) alone estimates 
that the implementation will occur during the period 2006- 
2035. In financial terms, the projected total spending for 
the moment exceeds $1176M and is expected to be a 
multi-billion total expenditure by the final implementation 
and deployment. Despite missing public data from EURE- 
CONTROL (EU) and CASA (Australia) related to ADS-B 
implementation costs, we would assume the investments in 
time and money to be similar. 

Given the budget involved, and the sensitivity of air- 
traffic, it is surprising that such a system was not desiged 
with security in mind. 

III. Problem formulation 

Since ADS-B is supposed to support mission-critical 
automatic and human decisions, and have direct impact on 
the overall air-traffic safety, it is imperative that technology 
behind ADS-B meets operational, performance and security 
requirements. 

However, the main problem with ADS-B is the lack 
security mechanisms, specifically: 

• lack of entity authentication to protect against message 
injection from unauthorized entities. 

• lack of message signatures or authentication codes to 
protect against tampering of messages or impersonating 
aircrafts. 

• lack of message encryption to protect against eaves¬ 
dropping. 

• lack of challenge-response mechanisms to protect 
against replay attacks. 

• lack of ephemeral identifiers to protect against privacy 
tracking attacks. 

We did not include Denial of service (DoS), e.g., by 
jamming radio signals, because it affects RF-based commu¬ 
nication in general, and is not specific to ADS-B. 

A. Attacker Model 

Building a correct adversary model is essential in assess¬ 
ing the potential of their actions on the a system. In the 
ADS-B system, an attacker can be classified using several 
properties like his/her place in the system, physical position 
and his goals. 

1) Place in The System: 

• external - An external attacker has a higher probability 
of existence. Since it is external to the system he/she 
doesn’t require authentication or authorization and can 
execute low-cost attacks easily and can virtually belong 
to any group of the Classification III-A3; 

• intemal/insider - This is a person trusted by the system. 
For example he/she can be a pilot, an ATC controller, an 
airport technician, etc. This type of attacker has a lower 





Figure 2. PPM-encoded ADS-B 56 bit sample frame. 


probability of existence Mostly observed in intentional 
or unintentional prankster group, as shown in [46]; 

2) Physical Position: 

• ground-based - This type of attacker is most commonly 
presented and envisioned. There are certain limitations 
which can be used against his/her attacks by various 
detection and mitigation techniques; 

• airborne - This type of attacker is still overlooked 
and perhaps not very well understood and modeled. 
However, leveraging technological advances, it can 
include drones, UAV, autonomously activating checked- 
in luggage or passengers with miniature devices capable 
of performing attacks; 

3) Goals: 

• pranksters - Pranksters seen as least offensive. How¬ 
ever, the impact on safety can be considerably higher 
than assumed. For example, attackers can include un¬ 
aware pilots, ’’curious” and unaware technology exper¬ 
imenters; 

• abusive users - This type of attackers can have different 
motivations, including money, fame, message convey¬ 
ing. This can also include privacy-breaching groups 
(e.g., paparazzi), and eventually pilots intentionally 
abusing their access to ADS-B technology; 

• criminals - Such attackers can have two main motiva¬ 
tions - money and/or terror; 

• military/intelligence - Such attackers can have state- 
level motivation, such as spying, sabotage, etc. and 
can include agencies related to military or intelligence 
fields; 

B. Threats 

During the ADS-B introduction, development and deploy¬ 
ment, both academic and industrial communities tried to 
come up with threat and vulnerability models in order to 
better understand the security impacts and possible mitiga¬ 
tion techniques and solutions. 

Below is a summary of broad categories of identified and 
described threats throughout the literature. Details on each 
particular threat are presented in the subsection V-C. 

• jamming, denial of service 

• eavesdropping 

• spoofing, impersonation 


• message injection/replay 

• message manipulation 

IV. Experimental Setup 

A. Overview 

We took the most straightforward, simple and cost- 
efficient approach in building up our experimental setup. We 
deploy a COTS SDR transmitter, which transmits attacker 
controlled messages. The transmitter is controlled by a 
minimal piece of software, used to encode and control 
the attacker messages. On the receiving end, we use a 
commercial-off-the-shelf (COTS) receiver, used to confirm 
the successful reception of the attacker messages. 

B. Safety and regulatory considerations 

When doing RF-related research and experimentation, 
especially related to safety applications such as ATC, it is 
of utmost importance to abide the regulatory and safety 
prescriptions. This is to avoid any accidental interference 
with normal working of the system but also not to use radio 
frequencies without authorization. Even if the experiment 
seem perfectly safe, one need to first test it in a controlled lab 
environment. To avoid any accidental emission of signals, 
our experimental setup does not emit any radio signals, but 
simulates any emissions by transmitting signals over a cable 
directly from the transmitter to the receiver. 

To accomplish this without saturating the receiver, we use 
an inline attenuator, depicted in Figure 3 between our ADS- 
B OUT USRP1 device, i.e. attacker, and our ADS-B IN 
PlageGadget device, i.e. victim. As such our experimental 
setup does not emit any radio waves. Therefore our setup 
of wired data transmission between ADS-B IN and ADS- 
B OUT conforms to Subpart B Unintentional Radiators of 
FCC [26], 

However, this does not change the results of our experi¬ 
ments as this setup would only require an amplifier and an 
antenna to actually emit the radio signals. 

C. Hardware 

As our main hardware support, we are using an 
USRP1 [49] software defined radio device (Figure 4). The 
USRP is coupled with an SBX transceiver daughter board 
(Figure 5). The SBX transceiver daughter board [50] covers 
















































































Figure 3. Attenuator VAT-10W2+. 



Figure 4. Ettus Research USRP1 kit. 



Figure 5. Ettus Research SBX transceiver daughter board. 


400MHz-4.4 GHz spectrum range, making a good candidate 
for 1030 MHz interrogation and 1090 MHz response fre¬ 
quencies. In addition to that, its transmit and receive chains 
can be controlled separately to provide greater flexibility 
with scenarios under test. 

To assess the correctness of our implementation as well as 
the effectiveness of the attacks, we use a PlaneGadget ADS- 
B Virtual Radar [51] (Figure 6). It is a radio-enthusiast-level 
ADS-B receiver and was chosen because of it’s cost vs. 
characteristics combination. However, there exist currently 
a large number of choices for radio-enthusiast-level ADS- 
B receivers [45], any of them could be used in such an 
experimental setup. 

D. Software 

1) Overview: As our main software base, we are using 
the GNURadio [47] open-software package. GNURadio is 



Figure 6. PlaneGadget ADS-B Virtual Radar. 


a FOSS implementation of various radio primitives useful 
for higher-level designs and applications with SDRs. In 
particular, it provides very good software support for USRP1 
and USRP2. We are using the USRP hardware in Universal 
Hardware Driver (UHD) mode, which is the recommended 
one, as it supersedes the original raw device mode. 

In addition to using the PlageGadget device as our main 
ADS-B receiver and decoder, we also use our USRP1 
device as a secondary ADS-B receiver, as a backup and 
verification device. In order to use USRP1 as an ADS-B 
IN device, it requires demodulation and decoder support. 
Luckily, there are two public implementations of Mode- 
S/ADS-B receiver modules for GNURadio. Historically, the 
first implementation of Mode-S/ADS-B demodulator and 
decoder was done for pre-UHD-mode by Eric Cottrell [61]. 
The more recent implementation, which targets the UHD- 
mode, is done by Nick Foster [62], Since our USRP1 is in 
UHD-mode, we are using the ’ gr-air-modes' module [62], 

2) Software for the Replay Attack: For this attack, we are 
using out-of-box functionality of USRP1 and GNURadio, 
hence on a very high level, our approach looks as: 

• capture ADS-B using uhd_rx_cfile on 1090 MHz fre¬ 
quency 

• for the UHD-mode, use tx_samples_from_Jile to trans¬ 
mit via GNURadio the data captured data to be replayed 

• or for the pre-UHD-mode, we use usrp_repla.y_file.py 
to transmit via GNURadio the data captured data to be 
replayed 

3) Software for Impersonation Attack: For the message 
impersonation attack, i.e. spoofing, there is a need to im¬ 
plement ADS-B to PPM encoding and PPM modulation 
modules. As usual, there are multiple ways to implement a 
solution for this. One of them is by writing a native C/C++- 
based GNURadio modulator and encoder [63]. Another 
approach, that we used, is to perform most of the encoding 
and modulation in MatLab. On a very high level, our is: 











• encode high-level ADS-B data into MatLab array as 
bit-stream representation 

• modulate it in PPM in MatLab using modulate() func¬ 
tion with ’ppm’ argument 

• write modulated data from MatLab to I/Q format using 
write_complex_binary. m 

• for the UHD-mode, use tx samplesj'romjile to trans¬ 
mit via GNURadio the data encoded, modulated and 
written in MatLab at previous step 

• or for the pre-UHD-mode, use usrpreplay_Jile.py 

For obvious reasons, we cannot present full and final 

source code, but the following listing should give a general 
idea of how the encoding and modulation works for simple 
bit-streams in MatLab: 

% pulsewidth 
pw = 0.5; 

% jit is data 

% 0.5 to (avoid pulse overlap) 
d = [ 0 0 1 0 1 0 ] * 0.5; 

% sampling frequency 
fs = le6; 

[p, t] = modulate(d, 1000, fs, 'ppm', pw) ; 
t = 0: 1/fs : 1/fs*(length(p)-1); 
plot (t, p) 

V. Discussion 

Even though, provisions and specifications exists for a 
secure mode ADS-B operation, it is currently limited to 
military use. In addition to this, the specifications of the 
secure mode ADS-B are not public. Hence, this mode cannot 
be evaluated and as such analysis of the secure mode ADS- 
B would be an interesting future work. Military entities have 
a clear interest in using a secure version of ADS-B, in such 
a setup it is also easier to secure the communications, e.g., 
because all aircrafts belongs to the same entity. 

Moreover, the commercial air-traffic is prevalent, and as 
such represents a wider and easier attack surface compared 
to military secured ADS-B communications. 

A. ADS-B Misuses 

1) Pranks-like misuse: ADS-B messages allow for freely 
configured messages which can be set for example by 
the plane pilot while configuring the ADS-B device. We 
have found in public sources, e.g., [46], that currently 
parts of ADS-B messages are used to broadcast various 
human-readable messages which are unrelated to ATC, ATM 
or ADS-B, and as such constitute a disguised communi¬ 
cation channel over ADS-B protocol. Examples, of such 
human-readable messages are : VOTENOO, VOTEUNUN, 
DROPDBRK, GOTOFMS, HIDAD, SCOTSUXX, etc. 

While those messages are pranks, this capability can raise 
several concerns: 


• abuses of those messages could carry confusing mes¬ 
sages, leading to disturbing pilots from their main task, 
i.e., conducting airplanes with maximum safety. 

• these messages can be seen as hidden, or at least not so 
straightforward to intercept, information dissemination 
or hidden call for specific actions. 

B. Solutions for securing ADS-B 

Along with various existing and proposed solutions, we 
strongly believe that a lightweight PKI implementation for 
resource and bandwidth constrained devices, such as aircraft 
transponders and avionics, is a viable solution for securing 
ADS-B in the short and long terms. In this context, a 
possible interpretation for lightweight PKI could be that the 
lengths of keys are much shorter, i.e., adjusted to available 
bandwidth/bit-rate of the broadcast shared medium, and the 
computation algorithms are potentially simplified. 

The first and simplest thing that would greatly enhance 
the security of ADS-B is to add integrity verification to 
ADS-B messages (HMAC and verification). If any certi¬ 
fied ADS-B device can securely verify validity of other 
aircrafts’ broadcasts along with verification via CAs chains 
of the signature keys, the message injection is suddenly not 
possible or at least not as easy to accomplish. Hence, one 
approach would be that aircraft A transmits the bits of the 
signature within each of it’s ADS-B messages, in a cycle. 
After each cycle of N broadcasts, the signature of aircraft 
A can be gathered by the aircrafts surrounding A. Until, 
the signature key is totally gathered from broadcasts, the 
broadcasts from A cannot be verified, thus cannot be fully 
trusted. However, the surrounding aircrafts would keep these 
unverified broadcasts messages for later verification, as well 
as to construct both spatial and temporal constraints of A in 
order to verify the correctness of the gathered signature key 
of A, as well as to subsequently verify correctness of data 
reported by A. 

The above would assume and require existence of CAs 
root keys in the ADS-B transponders in order to verify 
validity and authenticity of signature keys. We also sug¬ 
gest that key-distribution problem can be overcome from 
the direction of certification process of avionics devices, 
specifically ADS-B devices. All avionics devices have to 
pass various regulatory, safety and other certifications with 
certifying bodies (FAA, EUROCONTROL, CASA). We sug¬ 
gest that, as part of this certification process, the security 
integrity check of the hardware/software of the device is 
executed and the key distribution takes place. In such a 
PKI process, certificate authorities (CAs) can be designated 
the certifying bodies, i.e. FAA, EUROCONTROL, CASA, 
which validate, revoke and update their root certificates on 
the certified devices during the certification process. 

At the same time, enough consideration for lightweight 
PKI infrastructure and protocols, such as [38], pkASSO [40], 
LPKI [39], WSN uPKI [41], should be given in order to 




address PKI challenges faced by globally-distributed ad-hoc 
network of aircrafts in general, and ADS-B in particular. 

Details on each particular solutions from other works are 
presented in the subsection V-C. 

C. Related work 

[1] and [2] suggest multiple classification for adversaries, 
in particular internal vs. external, airborn vs. ground-based, 
intentional vs. unintentional. A comprehensive classification 
is made for threats, specifically Disruption of GPS readings. 
Wireless jamming of surveillance-related communications, 
Exploitation of ADS-B communications. Manipulation of 
ADS-B communications. As mitigation for ADS-B Position 
Verification, use of multilateration and radar is proposed; 
to support ADS-B Message Verification, cryptography tech¬ 
niques are being explored; agains Exploitation of ADS- 
B communications threats, the idea of Privacy Mode and 
Privacy Enhancement for ADS-B is advanced. As long¬ 
term solutions, it is suggested to use Time Difference of 
Arrival Multilateration. As another mitigation factor, the 
Group Concept with extension to Position Verification by a 
Group of Aircraft which is being developed into a Protocol 
for Position Verification. 

In [7], authors formulate the possibility of external or in¬ 
ternal adversaries to pose threats of ADS-B Message Corrup¬ 
tion, ADS-B Message Misuse and ADS-B Message Delay. 
The proposed mitigations address GNSS Integrity, Integrity 
of ADS-B OUT Messages, ADS-B Message Anonymity and 
ADS-B Availability. As long-term solution for the ADS-B, 
group concept is proposed that would be leveraged for ADS- 
B IN Integrity and ADS-B Privacy. 

The above ideas, along with the group concept from 
[7], are continued in [4], under the assumptions of the 
same type of adversaries. Specifically, primary and sec¬ 
ondary surveillance radar infrastructures are proposed for 
integrity checks and smooth compensation of ADS-B OUT 
data, with potential enhancement or alternative by using 
multilateration. For preventing misuse of ADS-B data, a 
privacy mode is proposed, by making the aircraft compute 
a random identifier as a pseudonym. However, this can¬ 
not provide location untraceability when there is a strong 
spatial and temporal correlation between aircraft locations 
due to underlying predictable mobility of aircraft and the 
short intermessage period of ADS-B. Also, it is suggested 
that symmetric-key-based solutions offers an efficient way 
to protect integrity, authenticity, and confidentiality, while 
keyed hash or message authentication code are proposed as 
message signatures. 

McCallie et al. [10] describes a set of attacks such 
as: Aircraft Reconnaissance, Ground Station Flood Denial, 
Ground Station Target Ghost Inject, Ground Station Multiple 
Ghost Inject, Aircraft Flood Denial, Aircraft Target Ghost 
Inject, and associate each attack a difficulty level and a 
technique. Of particular interest is that the threats of Ground 


Station Target Ghost Inject and Ground Station Multiple 
Ghost Inject are marked as medium-high, whereas as we 
currently demonstrate that the difficulty level can be brought 
down to low-medium. Instead of technical solutions, the 
paper concludes with four very pertinent recommendations. 

Purton et al. [16], uses TOWS and SWOT models to do 
threat and risk analysis on GPS, ADS-B transmitter, propa¬ 
gation path and ground infrastructure up to and including the 
ATC display. It also mentions the possibility of the ADS-B 
spoofing attack. They study security and threats on a broader 
scale, not just ADS-B. However, the paper doesn’t touch 
the specifics or difficulties associated with ADS-B attacks, 
mitigations and solution. 

Parallel to academic community, hacking community has 
contributed towards ADS-B insecurity awareness raise with 
presentations of [42], [43], [44]. Of particular interest is that 
[44] mentions existence of a private and draft version of a 
Mode-S/ADS-B native C/C++ transmitter block written for 
GNURadio, which makes it yet another implementation and 
proof of the presented attacks. 

D. Future work 

This research prompts several important ideas for various 
future work items. Among the most important ones we 
foresee are: 

• security analysis of DF19, DF22 and Mode-5 se¬ 
cure/crypto modes of operation 

• development and simulation of a realistic ADS-B se¬ 
curity architecture pertaining to the ad-hoc nature and 
high-mobility challenges of aircraft traffic 

• using the USRP-based device to evaluate the security 
of real certified ADS-B devices, e.g., their resistance to 
malformed messages, etc. 

VI. Conclusion 

This paper clearly concludes over the inherent insecurity 
of the commercial-grade ADS-B protocol design. Despite 
the fact that lack of security of ADS-B technology has 
been widely covered by previous academic studies, and 
more recently by the hacking community, the fundamental 
architectural and design problems of ADS-B have never 
been addressed and fixed. Also, given the efforts in terms 
of time and money invested so far and still to be invested, 
it is unclear why such mission-critical and safety-related 
protocol doesn’t address at all and doesn’t have a security 
chapter in the main requirements specifications document 
[19]. As a closing conclusion, the main and intended contri¬ 
butions of our research is awareness raise among academic, 
industrial and policy-making sectors on the fact that criti¬ 
cal infrastructure technologies such as ADS-B require real 
security in-place in order to operate safely and according 
to the requirements. We acomplish this awareness raise via 
this academic exercise by demonstrating that a low-cost 
hardware setup combined with moderate software effort is 




enough and sufficient to induce potentially dangerous safety 
and operational perturbances in a multi-million technology 
via the exploitation of missing basic security mechanisms 
such as message authentication at least. 
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